I don't think Container Managed Security has provisions for logging
users out, other than by expiring the session (and not even then if
you're relying on HTTP authentication rather than form-based).
If you have a separate 'login' page (as opposed to having a login form
on each page) you might be able to get away with invalidating the
session when that page is shown, with the caveat that logged in users
would implicitly be logged out if they visit that page.
Perhaps it would help to more fully describe the use case (i.e. 'user is
logged in and tries to log in...' and how it is failing (i.e. 'user
stays logged in as old user'), along with specific details of how you
have authentication configured.
L.
Adam Gordon wrote:
If you mean protecting the page w/ a security constraint, I think that
would be a problem in that JAAS would detect that it's a protected
resource and prompt the user to log in before hitting the login page and
upon a successful login would redirect the user to the login page after
they've already logged in. And even if I modified the login page to
redirect to the default home page in the webapp, the problem is when
they try logging in as someone else without logging out - JAAS/Tomcat
detects that they are already logged in (have an authenticated session)
and so would bypass any authentication mechanism.
--adam
Dale Newfield wrote:
Adam Gordon wrote:
We're using JAAS for webapp authentication and we've discovered an
issue: If user A is logged in and tries to log in as user B, they
stay logged in as user A.
Couldn't you protect the login form page and action so that they're
only accessible by a session without any valid login credentials?
That way the only way to log in as B would be to first log out as A
(or in some other way start a new session w/o A's credentials).
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
